IT2023043 - Recommendation 16

Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)-Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.